Data Protection Center

In transit: all traffic is encrypted with TLS 1.3 and HSTS-pinned.

At rest: dreams, voice journals and AI outputs are stored on AES-256-encrypted volumes managed by our cloud provider.

Secrets are stored in a managed vault and rotated regularly.

Every table is protected by row-level security. Users can only read and write their own vault. Administrative roles are scoped, time-bound, and require multi-factor authentication.

Password sign-in is paired with breach-detection, optional biometric unlock, OTP-based account recovery, and rate-limited brute-force protection. Sessions are bound to device fingerprints and rotated frequently.

Every administrative action — moderation, broadcasts, support access — is recorded in an append-only audit log with actor, target, timestamp and reason. Logs are reviewed regularly.

We run on hardened cloud infrastructure with isolated environments for production, staging, and development. Network access is restricted by allowlist; databases are not exposed to the public internet.

Sessions automatically expire after extended inactivity. You can sign out of all devices from your Profile and request a forced revocation by writing to support.

Your vault is logically isolated per user. Analytics never include dream content. Voice transcription is performed in a sandboxed pipeline; raw audio is retained only as long as needed to produce the transcript.

We welcome coordinated disclosure. Email support@dreamvaultai.io with a description, reproduction steps and your contact information. We will acknowledge within two business days.